So, just when we've about beaten the topic of HS CAN Bus diagnostics into relative "submission", the need for "intrusion prevention" takes it to the next level with the adoption of "Isolated" Networks. There is purposely no vehicle identified in the fields, because the topic lends itself to new platforms as they come to market.
With High Speed CAN Bus being such a popular topic in various forums and many technicians now being able to diagnose system maladies with relative ease, isolated networks make it rather more challenging. Since I focus on GM products, I created a "simple" slide that is "very loosely" based on a 2018 GMC Terrain, to demonstrate the Bus topology. It is by no means complete, but rather a representation of how the networks are connected with this new layer of protection.
I intentionally omitted a multitude of other networks that are interconnected, so the slide focuses on only LS and HS GM LAN. It demonstrates how these and for that matter the other networks (not shown) are protected from intrusion by passing through the K56 Serial (Central) Gateway Module. This will make for more of a diagnostic challenge than when LS and HS GM LAN were "out in the open", as used on earlier platforms.
We no longer are able to "see" all of the modules on a network, due to there being what can be called a "clean" side and a "dirty" side. Consider the "dirty" side, as once being an easy point of access for hackers to vehicle critical systems, via insertion of customer devices and other methods.
Isolating modules on the same bus, makes for a rather more complex diagnostic path, that will be more heavily reliant on scan data, DTCs and performing intrusive testing with a Digital Multi-Meter to obtain various measurements on physical wiring, inline and component connections. Diagnosis will involve gathering necessary information such as DTCs and symptoms, then following SI down the "path of righteousness", step by step. While I am sure that testing will become a more comfortable and familiar process in due course, we can and should expect that there will be a learning curve.
Will dragging out a DSO be of any real use? That is your call to make, but I've always been one for using the simplest method of capturing information useful to make a quick diagnosis. However, I do use a DSO for case studies for the visual effect, or in the lab to demonstrate types of signals that we are measuring.
Whatever the tool of preference, there is no longer opportunity for "down and dirty" quick testing via the DLC, as in the past. Quite simply, "you can't get there from here" anymore. So, access to the physical bus with the "firewall" protection will be rather more intrusive than in the past, requiring more disassembly. J
ust to make it more "fun", you will discover that disassembly to access these systems will also require more work than in the past, with more removal of trim and component layers for access.
Martin great write up. I still believe that there will be a greater need for the use of scopes. measuring an average voltage on a network line with a DVOM is not enough. We need to see the network and verify that its reaching its specified voltage ranges. Also networks are communicating faster, try to use a DVOM to measure a LIN bus.
Hi Thomas. Funny thing is that we've been successfully diagnosing CAN Bus, LIN Bus and more for many years, with a DMM. While a Fluke 87 or 87 III is pushed a bit, a Fluke 87 V is 4 x faster on peak min max @ 250 µS.
That is sufficient to identify Bus differential voltage and the difference in voltages on Bus + and Bus - that add up to the 5v. Between scan data, DTCs, a capable DMM and the GM Data Bus Diagnostic Tool it has not been an issue.
GM single wire LIN Bus runs at a lowly 10.417 Kbit/s, hardly "lightning" fast. It will just take a little more effort to access some of these components and circuits. In the end, it is little more than tracing circuits and performing routine tests with the tools of choice.
BTW, I'm not saying that a DSO isn't useful. It may well be the outright best tool for some tricky diagnostic "escapades".
Seems like the same thing that the information technology industry has gone through from the telephone to the world wide web. We are and have always been as tech's on the physical side of the network. Testing to be sure connections have continuity being the lowest level of the networks stack, we will likely need to become much more technically proficient over the coming years and move into understanding how the network works on a higher level. Firewalls are not really a hindrance if you have physical access to the network, That's pretty much how these "hackers" are bypassing them in practice now just cutting into the network past the firewall, negating it completely. Yes this isn't going to help someone who wishes to "hack" a car remotely, but in our case being given physical access to the vehicle isn't a problem. Packet analysis may even become part of our tool kit. Lucky for us CAN networks are nothing new and there are a great deal of resources on the subject, even tool that may need to be re-purposed for our needs. I just got done assembling a tool to read, capture and inject CAN messages. Hoping to find more useful tools and information moving forward.
I agree Jeffrey. Remote "hacking" really should be the focus of malicious hacking, or even quick access with consumer devices such as USBs that can access systems and modify or corrupt programs.
Physical access and bypassing gateways is a slightly different prospect and is clearly going to be more time-consuming than in the past.
In the end for the diagnostic technician, its just wires, connections and some basic electrical testing routines that need to adapt to each new system as it is introduced with added security. It's just going to be a bit more work and use of scan data and DTCs in the information gathering phase.
Question Martin! Looking at your diagram it looks like powertrain will be directly accessible front the DLC. Everything else is routed through the gateway. Mercedes and BMW use a gateway to access other networks. Is there something different that I'm seeing? Not too hard to diagnose problems on those modules.
Hi Mike. The Bus + and Bus - leave the DLC terminals 6 and 14 and enter the BCM, where they take different directions, with the powertrain branch leaving the BCM at X6 and the other branch going to the serial gateway module from BCM connector X1. So, yes it does appear that there is direct connection via the DLC with the powertrain modules.
With one termination resistor beyond the serial gateway module and the other on the opposite branch in the ECM, HS CAN Bus testing may well require more intrusive tests rather than the down and dirty tests at the DLC that we'd normally do. I have a couple of ideas that I'm going to put to the test on one of our vehicles. In the end, its just physical wiring and connections like anything else, following the relevant schematics and access points for inline connectors or at modules. Still, it will make for a bit more of time consuming activity than finding an open or shorted Bus and "breaking" it in half to pursue and upstream or downstream fault.
FWIW, on the slide that I posted, I notice that I omitted two Bus wires leaving the BCM going to the Serial Gateway K56 Module that lead to the rear drive module and typical end of run termination resistor.
I think that the term "hacking" really should refer to "remote access" or quick access via the customer device interfaces with USBs and similar corrupted devices. From what I have seen, access to some areas of vehicle networks is going to be a bit more challenging.
FWIW, I don't consider breaking into a vehicle and accessing networks physically, to be the same level of "hacking", that has resulted in cyber security measures in vehicles. work.
I just looked up an 18 Equinox and I see that 6&14 go directly into K9 bcm and out to the powertrain BUS. Everything else goes through K56 gateway.
Similar to a BMW network. We do most of our testing at the JBE on this model.
Hi Mike. That is correct. Just for the heck of it, I just tested a 2017 Sierra K1500 with a Serial Gateway Module at 6 and 14 and got the typical 60 and 120 Ω measurements respectively, with the system intact and with the termination resistor at the rear of the truck removed.
There will be a few "twists" and "turns" in some testing, depending where modules are on the networks, but to me its just wires, connectors and modules, nothing more than a bit tedious access in some instances.
I think it's actually easier to diagnose electrical problems with segregated modules. Software and transceiver issues are more difficult as there is so much information going into the gateway.
I wish there were codes for packet loss or lack of acknowledgment. I have a friend who writes software and he imbeds diagnostic information into the software. They may do it and it's just not apparent to the laymen!
Indeed, Martin. Starting with the 2017 Impreza, Subaru has DLC pins 6 and 14 wired to nothing more than a single 120 ohm resistor in the BIU (Body control). Anything attempting to communicate via the DLC must first pass a background check by the BIU. It will be interesting to see if technicians will expect to see 60 ohms during a dry CAN resistance test, and instead interpret the 120 ohms as a problem.
As for scope and/or DMM access to main CAN circuitry, there are still plenty of easy access points.